|
Home > Archive > Squid > April 2004 > [squid-users] strange requests
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
[squid-users] strange requests
|
|
| Hilal Afridi 2004-04-29, 6:55 pm |
| Joe i still have not been able to take care of those TCP/MISS 000 requests.
I have been trying to post this question to the list by lord knows why it
aint getting there.
Kindly do let me know what to do with those.
Regards
Hilal
| |
| Henrik Nordstrom 2004-04-29, 6:55 pm |
| On Thu, 29 Apr 2004, Hilal Afridi wrote:
> Joe i still have not been able to take care of those TCP/MISS 000 requests.
> I have been trying to post this question to the list by lord knows why it
> aint getting there.
This question got to the list.
What TCP_MISS/000 problem is you having?
Btw, TCP_MISS/000 indicates there was no reply to this request before the
client aborted the connection.
Regards
Henrik
| |
| Joe Cooper 2004-04-29, 6:55 pm |
| Henrik Nordstrom wrote:
> On Thu, 29 Apr 2004, Hilal Afridi wrote:
>
>
>
>
> This question got to the list.
>
> What TCP_MISS/000 problem is you having?
>
> Btw, TCP_MISS/000 indicates there was no reply to this request before the
> client aborted the connection.
I believe it is the same problem that I just discussed with Jason McNeil
this afternoon. Requests generated by a virus that leads to extremely
heavy file descriptor and CPU usage. The workaround (which only
partially solves the problem, but solves it well enough to prevent DoS
of the Squid process) I've been using is to turn off half_closed_clients.
However, Hilal replied further that his Squid already had this option
turned off and it didn't help. It may be that he has a larger infected
population than I've seen, or it may be a different issue entirely.
| |
|
|
----- Original Message -----
From: "Joe Cooper" <joe@swelltech.com>
To: "Henrik Nordstrom" <hno@squid-cache.org>
Cc: "Hilal Afridi" <afridi@iqranet.info>; <squid-users@squid-cache.org>
Sent: Thursday, April 29, 2004 4:05 AM
Subject: Re: [squid-users] strange requests
> Henrik Nordstrom wrote:
requests.[vbcol=seagreen]
it[vbcol=seagreen]
the[vbcol=seagreen]
>
> I believe it is the same problem that I just discussed with Jason McNeil
> this afternoon. Requests generated by a virus that leads to extremely
> heavy file descriptor and CPU usage. The workaround (which only
> partially solves the problem, but solves it well enough to prevent DoS
> of the Squid process) I've been using is to turn off half_closed_clients.
>
> However, Hilal replied further that his Squid already had this option
> turned off and it didn't help. It may be that he has a larger infected
> population than I've seen, or it may be a different issue entirely.
I have same problem over here. I have about 2000 hosts and a good number
of them are infected by virus/worms. Even after turning off
half_closed_clients,
squid slows down significiantly. The average service time which used to be
30-40 ms, will range new 100-300ms.
I am planning to block the port 80 for these clients in our multilayer
switch
instead of transparently redirecting them to cache and force them to
configure the
proxy manually.
Any other solutions for this problem?
Venkatesh K
| |
| Henrik Nordstrom 2004-04-29, 6:55 pm |
| On Thu, 29 Apr 2004, krv wrote:
> I am planning to block the port 80 for these clients in our multilayer
> switch instead of transparently redirecting them to cache and force them
> to configure the proxy manually.
>
> Any other solutions for this problem?
Automatic firewalling on the proxy when a client is found to use very many
connections. This can be done by a combination of maxconn acl and
external_acl_type.
Needs a moderate amount of scripting to make the external_acl_type helper
wich firewalls the client, but not much.
acl very_many_connections maxconn 50
external_acl_type firewall_client %SRC /path/to/helper
acl firewall_client external firewall_client
http_access deny very_many_connections firewall_client
You can also have a small program monitoring access.log and automatically
firewalling clients causing very many TCP_MISS/000 entries.. this is
probably simpler and more reliable, but requires a little more scripting
(but still only a moderate amount). PERL using the File::Tail module is
recommended for the job.
I am happy to write one for you for a reasonable deposition to my paypal
account if you do not feel prepared to write such scripts yourself.
Regards
Henrik
| |
|
| ----- Original Message -----
From: "Henrik Nordstrom" <hno@squid-cache.org>
To: "krv" <krv@kaevee.com>
Cc: <squid-users@squid-cache.org>
Sent: Thursday, April 29, 2004 3:37 PM
Subject: Re: [squid-users] strange requests
> On Thu, 29 Apr 2004, krv wrote:
>
>
> Automatic firewalling on the proxy when a client is found to use very many
> connections. This can be done by a combination of maxconn acl and
> external_acl_type.
>
> Needs a moderate amount of scripting to make the external_acl_type helper
> wich firewalls the client, but not much.
>
>
>
> acl very_many_connections maxconn 50
> external_acl_type firewall_client %SRC /path/to/helper
> acl firewall_client external firewall_client
>
> http_access deny very_many_connections firewall_client
>
>
>
> You can also have a small program monitoring access.log and automatically
> firewalling clients causing very many TCP_MISS/000 entries.. this is
> probably simpler and more reliable, but requires a little more scripting
> (but still only a moderate amount). PERL using the File::Tail module is
> recommended for the job.
>
> I am happy to write one for you for a reasonable deposition to my paypal
> account if you do not feel prepared to write such scripts yourself.
>
Thanks for the offer to help. I am trying to monitor the attacks using
netflow exports. I will get back to you soon.
Venkatesh K
| |
| Henrik Nordstrom 2004-04-29, 6:55 pm |
| On Thu, 29 Apr 2004, Hilal Afridi wrote:
> I didnt get a denial of service or enahanced cpu usage. I got Uplink choking
> whenever i come accross such requests havent really been able to make a
> connection.
What does access.log say in your case?
(including URL)
Regards
Henrik
| |
| Hilal Afridi 2004-04-29, 6:55 pm |
| requests are somewhat like this.
083178815.070 1035 66.76.79.56 TCP_MISS/000 0 GET
http://popup.msn.com/lbpopupframe.asp? - DIRECT/65.54.192.248 -
1083178816.081 17 66.76.79.54 TCP_MISS/000 0 GET http://ca.msn.com/ -
NONE/- -
1083178853.054 197 66.76.79.54 TCP_MISS/000 0 GET
http://ww.smashits.com/index.cfm? - NONE/- -
Hilal
----- Original Message -----
From: "Henrik Nordstrom" <hno@squid-cache.org>
To: "Hilal Afridi" <afridi@iqranet.info>
Cc: "Henrik Nordstrom" <hno@squid-cache.org>; <squid-users@squid-cache.org>
Sent: Thursday, April 29, 2004 9:05 PM
Subject: Re: [squid-users] strange requests
> On Thu, 29 Apr 2004, Hilal Afridi wrote:
>
choking[vbcol=seagreen]
>
> What does access.log say in your case?
>
> (including URL)
>
> Regards
> Henrik
>
>
>
| |
| Henrik Nordstrom 2004-04-29, 7:37 pm |
| On Fri, 30 Apr 2004, Hilal Afridi wrote:
> requests are somewhat like this.
> 083178815.070 1035 66.76.79.56 TCP_MISS/000 0 GET
> http://popup.msn.com/lbpopupframe.asp? - DIRECT/65.54.192.248 -
>
> 1083178816.081 17 66.76.79.54 TCP_MISS/000 0 GET http://ca.msn.com/ -
> NONE/- -
> 1083178853.054 197 66.76.79.54 TCP_MISS/000 0 GET
> http://ww.smashits.com/index.cfm? - NONE/- -
These are all probably normal, just a user moving on to other pages before
the requested server had a chance to answer.
Regards
Henrik
|
|
|
|
|